This invention relates generally to the field of secure computing environments and, more particularly, to a method and apparatus for securely transferring trust from a current trusted authority to a new trusted authority in a computing system.
There are many challenges to creating a highly secure computing environment such as preventing eavesdroppers from accessing private communications, preventing vandals from tampering with information while in transit from sender to receiver, authenticating users logging into a network, verifying a network server is indeed the server it professes to be and safeguarding confidential documents from unauthorized individuals.
One of the more difficult challenges is preventing unauthorized individuals from changing the basic configuration of a computer such as changing the software that is used to start the computer. In order to prevent changes to such software, known as the boot image, conventional systems rely on passwords and other security measures to prevent unauthorized physical access. These measures, however, do not protect network computers that load the startup software over a network. For example, these measures do not protect network computers from downloading startup software that has been damaged or tampered with. In addition, these measures require activation by an administrator and, therefore, do not prevent unauthorized alterations to the computer during transit from the manufacturer to the customer. Thus, manufacturers are unable to xe2x80x9cguaranteexe2x80x9d that the delivered computer has not been tampered with.
For the reasons stated above, and for other reasons stated below which will become apparent to those skilled in the art upon reading and understanding the present specification, there is a need in the art for a security module that protects a computer against unauthorized changes to configuration data. There is also a need for a security module that prevents any such changes immediately after manufacturing. There is also a need for such a mechanism that securely transfers authority from the manufacturer to the customer.
As explained in detail below, the present invention provides a security module for verifying whether a request to reconfigure a computing system was indeed issued by a trusted authority. As such, the present invention facilitates the secure transfer of trust from one trusted authority to another, such as from a manufacturer to a customer.
According to one aspect, the invention is a computing system having a persistent store for holding information indicative of a current trusted authority. A security module executing on the computing system determines whether to grant a request to modify configuration data within the computing system as a function of the information within the persistent store. In another embodiment the invention is a method for manufacturing a computer system having such a security module.
According to another aspect, the invention is a method for securely transferring trust in a computer system from a first trusted authority to a second trusted authority. Information indicative of a first trusted authority is stored in a persistent store of a computer. When a request to overwrite the information with information indicative of a second trusted authority is received, the invention determines whether the first trusted authority issued the request. The information within the persistent store is overwritten with the information indicative of the second trusted authority when the first trusted authority issued the request.
According to yet another aspect, the invention is a method for configuring a computing system. A request to reconfigure the computing system is validated as a function of trusted authority information maintained by the persistent store within the computer. The computing system is configured with the new data when the request is validated. These and other features and advantages of the invention will become apparent from the following description of the preferred embodiments of the invention.